blackmoon | acac7cc22d5f44bb386a48dd023c61e294012fee1ac8655403f093106e414685

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2025, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Size

11.5MB
MD5

70d9a6b536a493fd7d595a0528cb45a0
SHA1

916464e96c1bd20dc2c313191bda72bcf98931c8
SHA256

acac7cc22d5f44bb386a48dd023c61e294012fee1ac8655403f093106e414685
SHA512

2ef2e9db626182018983aef0cb4308f35c4497b6784621c6c13099acc1fff0875b4b54b8b942e0c30a12710a54a6c0c5229f3af76ffc5a2c5109fc191858d764
SSDEEP

196608:9EaOk2c1uwl1CPwDv3uFhi43v13uFnCPws8S/VW08Sr8lQeY3YKmknGzwHIPHd9H:95nEwl1CPwDv3uFY43v13uFnCPwa/VWH

Score

10^/10

blackmoon mimikatz banker discovery trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/3940-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/3940-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/files/0x00080000000240ba-6.dat	family_blackmoon
behavioral1/memory/4552-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	family_blackmoon
behavioral1/memory/4764-17-0x0000000000400000-0x0000000000466000-memory.dmp	family_blackmoon

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral1/memory/3940-0-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/memory/3940-4-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz
behavioral1/files/0x00080000000240ba-6.dat	mimikatz
behavioral1/memory/4552-8-0x0000000000400000-0x0000000000CEB000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ulpqvln.exe

Executes dropped EXE 3 IoCs

pid	Process
4552	ulpqvln.exe
4524	ulpqvln.exe
4764	nwehnvopoppqkrs28008.exe

Unexpected DNS network traffic destination 63 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	98	51.75.173.177	5700	nslookup.exe
Destination IP	117	207.148.83.241	6124	nslookup.exe
Destination IP	129	142.4.204.111	4076	nslookup.exe
Destination IP	147	51.254.25.115	428	nslookup.exe
Destination IP	153	89.40.116.230	1436	nslookup.exe
Destination IP	85	188.226.146.136	3796	nslookup.exe
Destination IP	133	142.4.205.47	2916	nslookup.exe
Destination IP	148	185.84.81.194	936	nslookup.exe
Destination IP	151	185.84.81.194	936	nslookup.exe
Destination IP	82	51.77.227.84	2360	nslookup.exe
Destination IP	109	5.132.191.104	4352	nslookup.exe
Destination IP	110	13.239.157.177	2540	nslookup.exe
Destination IP	142	66.70.228.164	2532	nslookup.exe
Destination IP	121	207.148.83.241	6124	nslookup.exe
Destination IP	31	161.97.219.84	5564	nslookup.exe
Destination IP	39	163.172.168.171	6040	nslookup.exe
Destination IP	71	94.103.153.176	4924	nslookup.exe
Destination IP	86	188.226.146.136	3796	nslookup.exe
Destination IP	107	144.76.103.143	3128	nslookup.exe
Destination IP	126	142.4.204.111	4076	nslookup.exe
Destination IP	128	142.4.204.111	4076	nslookup.exe
Destination IP	83	51.77.227.84	2360	nslookup.exe
Destination IP	144	66.70.228.164	2532	nslookup.exe
Destination IP	152	185.84.81.194	936	nslookup.exe
Destination IP	122	165.227.40.43	5880	nslookup.exe
Destination IP	132	142.4.205.47	2916	nslookup.exe
Destination IP	155	89.40.116.230	1436	nslookup.exe
Destination IP	79	51.77.227.84	2360	nslookup.exe
Destination IP	100	79.124.7.81	5340	nslookup.exe
Destination IP	113	13.239.157.177	2540	nslookup.exe
Destination IP	84	188.226.146.136	3796	nslookup.exe
Destination IP	115	207.148.83.241	6124	nslookup.exe
Destination IP	125	165.227.40.43	5880	nslookup.exe
Destination IP	134	198.100.148.224	1648	nslookup.exe
Destination IP	137	198.100.148.224	1648	nslookup.exe
Destination IP	72	207.192.71.13	5984	nslookup.exe
Destination IP	78	178.63.116.152	3852	nslookup.exe
Destination IP	99	51.75.173.177	5700	nslookup.exe
Destination IP	104	144.76.103.143	3128	nslookup.exe
Destination IP	30	161.97.219.84	5564	nslookup.exe
Destination IP	41	163.172.168.171	6040	nslookup.exe
Destination IP	75	207.192.71.13	5984	nslookup.exe
Destination IP	103	79.124.7.81	5340	nslookup.exe
Destination IP	106	144.76.103.143	3128	nslookup.exe
Destination IP	61	94.103.153.176	4924	nslookup.exe
Destination IP	74	207.192.71.13	5984	nslookup.exe
Destination IP	77	178.63.116.152	3852	nslookup.exe
Destination IP	102	79.124.7.81	5340	nslookup.exe
Destination IP	130	142.4.205.47	2916	nslookup.exe
Destination IP	146	51.254.25.115	428	nslookup.exe
Destination IP	108	5.132.191.104	4352	nslookup.exe
Destination IP	136	198.100.148.224	1648	nslookup.exe
Destination IP	51	163.172.168.171	6040	nslookup.exe
Destination IP	55	94.103.153.176	4924	nslookup.exe
Destination IP	114	13.239.157.177	2540	nslookup.exe
Destination IP	124	165.227.40.43	5880	nslookup.exe
Destination IP	138	159.203.38.175	4412	nslookup.exe
Destination IP	141	159.203.38.175	4412	nslookup.exe
Destination IP	145	66.70.228.164	2532	nslookup.exe
Destination IP	29	161.97.219.84	5564	nslookup.exe
Destination IP	76	178.63.116.152	3852	nslookup.exe
Destination IP	96	51.75.173.177	5700	nslookup.exe
Destination IP	140	159.203.38.175	4412	nslookup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4764-15-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/files/0x00090000000240c3-16.dat	upx
behavioral1/memory/4764-17-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\iupefbeq\ulpqvln.exe	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File opened for modification	C:\Windows\iupefbeq\ulpqvln.exe	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
File created	C:\Windows\iupefbeq\nwehnvopoppqkrs28008.exe	ulpqvln.exe

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulpqvln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulpqvln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5388	PING.EXE
3024	cmd.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00080000000240ba-6.dat	nsis_installer_2

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5388	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe
4764	nwehnvopoppqkrs28008.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3940	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
Token: SeDebugPrivilege	4552	ulpqvln.exe
Token: SeDebugPrivilege	4524	ulpqvln.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3940	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
4552	ulpqvln.exe
4524	ulpqvln.exe
4764	nwehnvopoppqkrs28008.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 3024	3940	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	84
PID 3940 wrote to memory of 3024	3940	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	84
PID 3940 wrote to memory of 3024	3940	2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe	84
PID 3024 wrote to memory of 5388	3024	cmd.exe	86
PID 3024 wrote to memory of 5388	3024	cmd.exe	86
PID 3024 wrote to memory of 5388	3024	cmd.exe	86
PID 3024 wrote to memory of 4552	3024	cmd.exe	94
PID 3024 wrote to memory of 4552	3024	cmd.exe	94
PID 3024 wrote to memory of 4552	3024	cmd.exe	94
PID 4524 wrote to memory of 4764	4524	ulpqvln.exe	96
PID 4524 wrote to memory of 4764	4524	ulpqvln.exe	96
PID 4524 wrote to memory of 4764	4524	ulpqvln.exe	96
PID 4524 wrote to memory of 5368	4524	ulpqvln.exe	97
PID 4524 wrote to memory of 5368	4524	ulpqvln.exe	97
PID 4524 wrote to memory of 5368	4524	ulpqvln.exe	97
PID 5368 wrote to memory of 5564	5368	cmd.exe	99
PID 5368 wrote to memory of 5564	5368	cmd.exe	99
PID 5368 wrote to memory of 5564	5368	cmd.exe	99
PID 4524 wrote to memory of 3944	4524	ulpqvln.exe	103
PID 4524 wrote to memory of 3944	4524	ulpqvln.exe	103
PID 4524 wrote to memory of 3944	4524	ulpqvln.exe	103
PID 3944 wrote to memory of 6040	3944	cmd.exe	105
PID 3944 wrote to memory of 6040	3944	cmd.exe	105
PID 3944 wrote to memory of 6040	3944	cmd.exe	105
PID 4524 wrote to memory of 5384	4524	ulpqvln.exe	108
PID 4524 wrote to memory of 5384	4524	ulpqvln.exe	108
PID 4524 wrote to memory of 5384	4524	ulpqvln.exe	108
PID 5384 wrote to memory of 4924	5384	cmd.exe	110
PID 5384 wrote to memory of 4924	5384	cmd.exe	110
PID 5384 wrote to memory of 4924	5384	cmd.exe	110
PID 4524 wrote to memory of 2556	4524	ulpqvln.exe	117
PID 4524 wrote to memory of 2556	4524	ulpqvln.exe	117
PID 4524 wrote to memory of 2556	4524	ulpqvln.exe	117
PID 2556 wrote to memory of 5984	2556	cmd.exe	119
PID 2556 wrote to memory of 5984	2556	cmd.exe	119
PID 2556 wrote to memory of 5984	2556	cmd.exe	119
PID 4524 wrote to memory of 5484	4524	ulpqvln.exe	120
PID 4524 wrote to memory of 5484	4524	ulpqvln.exe	120
PID 4524 wrote to memory of 5484	4524	ulpqvln.exe	120
PID 5484 wrote to memory of 3852	5484	cmd.exe	122
PID 5484 wrote to memory of 3852	5484	cmd.exe	122
PID 5484 wrote to memory of 3852	5484	cmd.exe	122
PID 4524 wrote to memory of 1632	4524	ulpqvln.exe	123
PID 4524 wrote to memory of 1632	4524	ulpqvln.exe	123
PID 4524 wrote to memory of 1632	4524	ulpqvln.exe	123
PID 1632 wrote to memory of 2360	1632	cmd.exe	125
PID 1632 wrote to memory of 2360	1632	cmd.exe	125
PID 1632 wrote to memory of 2360	1632	cmd.exe	125
PID 4524 wrote to memory of 1516	4524	ulpqvln.exe	126
PID 4524 wrote to memory of 1516	4524	ulpqvln.exe	126
PID 4524 wrote to memory of 1516	4524	ulpqvln.exe	126
PID 1516 wrote to memory of 3796	1516	cmd.exe	128
PID 1516 wrote to memory of 3796	1516	cmd.exe	128
PID 1516 wrote to memory of 3796	1516	cmd.exe	128
PID 4524 wrote to memory of 1052	4524	ulpqvln.exe	129
PID 4524 wrote to memory of 1052	4524	ulpqvln.exe	129
PID 4524 wrote to memory of 1052	4524	ulpqvln.exe	129
PID 1052 wrote to memory of 5700	1052	cmd.exe	131
PID 1052 wrote to memory of 5700	1052	cmd.exe	131
PID 1052 wrote to memory of 5700	1052	cmd.exe	131
PID 4524 wrote to memory of 5768	4524	ulpqvln.exe	133
PID 4524 wrote to memory of 5768	4524	ulpqvln.exe	133
PID 4524 wrote to memory of 5768	4524	ulpqvln.exe	133
PID 5768 wrote to memory of 5340	5768	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-22_70d9a6b536a493fd7d595a0528cb45a0_amadey_cloudeye_elex_hacktools_mimikatz_rhadamanthys_smoke-loader.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\iupefbeq\ulpqvln.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5388
- - C:\Windows\iupefbeq\ulpqvln.exe
    C:\Windows\iupefbeq\ulpqvln.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4552

C:\Windows\iupefbeq\ulpqvln.exe
C:\Windows\iupefbeq\ulpqvln.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\iupefbeq\nwehnvopoppqkrs28008.exe
  C:\Windows\iupefbeq\nwehnvopoppqkrs28008.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 161.97.219.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5368
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 161.97.219.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 163.172.168.171
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 163.172.168.171
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:6040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 94.103.153.176
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5384
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 94.103.153.176
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.192.71.13
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.192.71.13
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 178.63.116.152
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5484
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 178.63.116.152
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.77.227.84
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.77.227.84
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 188.226.146.136
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 188.226.146.136
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.75.173.177
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.75.173.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 79.124.7.81
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5768
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 79.124.7.81
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 144.76.103.143
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5712
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 144.76.103.143
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 5.132.191.104
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5580
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 5.132.191.104
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 13.239.157.177
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3904
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 13.239.157.177
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 207.148.83.241
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3360
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 207.148.83.241
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 165.227.40.43
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 165.227.40.43
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:5880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.204.111
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5864
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.204.111
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 142.4.205.47
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 142.4.205.47
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 198.100.148.224
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 198.100.148.224
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 159.203.38.175
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5636
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 159.203.38.175
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 66.70.228.164
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3572
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 66.70.228.164
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 51.254.25.115
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3964
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 51.254.25.115
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 185.84.81.194
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1300
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 185.84.81.194
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c nslookup -qt=A amxread.lib 89.40.116.230
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5148
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -qt=A amxread.lib 89.40.116.230
    3⤵
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:1436

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\iupefbeq\nwehnvopoppqkrs28008.exe

Filesize
69KB

MD5
8a761ad0a469caa921b8a1bdb989b9d1

SHA1
4584c31d116e15f402cc17122edd304eb6c95b2e

SHA256
875abc09f1abc43dfcc8a9c2a5e541c9a8bcaf33a4e8faa20c58947f8c8b56fa

SHA512
d2e541a9a245ea883b54e06583c5db4532e042e333f633e9dc20a1fd5d8d11c46a283274bcde0f972234a63f95e518a27da50f34a1899d88a398bbeb76cb371f

Download Submit
C:\Windows\iupefbeq\ulpqvln.exe

Filesize
11.6MB

MD5
131850efc111cb4b61f4bbd7a5db768a

SHA1
7c71aa46b424fb152314794374f66ae9b80dbcf0

SHA256
51f68f0210a9d346019ee1a9e835a648d6391c73fe7be11bad0e094ccc73b618

SHA512
c1c4becb0feffb22330e3ad3cbaa1390a3e6ba533017bbbc6bfa4f25982fe91c66bab07d9c164e377827b12e09ff9cfde58b0f97fd238f33746333756b8ab190

Download Submit
memory/3940-0-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/3940-4-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/4552-8-0x0000000000400000-0x0000000000CEB000-memory.dmp

Filesize
8.9MB

Download
memory/4764-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4764-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download